search

pravega / schema-registry

Pravega Schema Registry repository
Apache License 2.0
15 stars 23 forks source link

Twistlock Scan Findings #212

Closed shshashwat closed 3 years ago

shshashwat commented 3 years ago

Problem description Few critical and highs CVEs reported in schema-registry Twistlock report . The components need to be upgraded to fixed version provided.

S.no Packages CVE ID Package Version Fixed version
1 oniguruma CVE-2020-26159 6.9.4-r0 6.9.4-r1
2 oniguruma CVE-2019-19204 6.9.4-r0 6.9.5-r2
3 oniguruma CVE-2019-19012 6.9.4-r0 6.9.5-r2
4 oniguruma CVE-2019-19203 6.9.4-r0 6.9.5-r2
5 libx11 CVE-2020-14363 1.6.7-r0 1.6.12-r0
6 libbsd CVE-2019-20367 0.8.6-r2 0.10.0-r0
7 sqlite-libs CVE-2019-5018 3.26.0-r3 3.28.0-r0
8 sqlite-libs CVE-2019-8457 3.26.0-r3 3.28.0-r0
9 sqlite-libs CVE-2020-11655 3.26.0-r3 3.28.0-r3
10 sqlite-libs CVE-2019-19646 3.26.0-r3 3.32.1-r0
11 sqlite-libs CVE-2020-11656 3.26.0-r3 3.32.1-r0
12 sqlite-libs CVE-2020-13630 3.26.0-r3 3.32.1-r0
13 sqlite-libs CVE-2019-19244 3.26.0-r3 3.28.0-r2
14 libbz2 CVE-2019-12900 1.0.6-r6 1.0.6-r7
15 libssl1.1,libcrypto1.1 CVE-2020-1967 1.1.1b-r1 1.1.1g-r0
16 libstdc++,libgcc CVE-2019-15847 8.3.0-r0 9.3.0-r0
17 com.fasterxml.jackson.core_jackson-databind CVE-2020-10672 2.9.8 2.9.10.4
18 com.fasterxml.jackson.core_jackson-databind CVE-2020-10673 2.9.8 2.9.10.4
19 com.fasterxml.jackson.core_jackson-databind CVE-2019-20330 2.9.8 2.9.10.2
20 com.fasterxml.jackson.core_jackson-databind CVE-2020-10968 2.9.8 2.9.10.4
21 com.fasterxml.jackson.core_jackson-databind CVE-2020-10969 2.9.8 2.9.10.4
22 com.fasterxml.jackson.core_jackson-databind CVE-2020-11111 2.9.8 2.9.10.4
23 com.fasterxml.jackson.core_jackson-databind CVE-2020-11112 2.9.8 2.9.10.4
24 com.fasterxml.jackson.core_jackson-databind CVE-2020-11113 2.9.8 2.9.10.4
25 com.fasterxml.jackson.core_jackson-databind CVE-2019-17531 2.9.8 2.9.10.1 or 2.8.11.5 or 2.6.7.3 or 2.10.0 or later
26 com.fasterxml.jackson.core_jackson-databind CVE-2019-17267 2.9.8 2.9.10
27 com.fasterxml.jackson.core_jackson-databind CVE-2019-16943 2.9.8 2.9.10.1 or 2.8.11.5 or 2.6.7.3 or 2.10.0 or later
28 com.fasterxml.jackson.core_jackson-databind CVE-2019-16942 2.9.8 2.9.10.1 or 2.8.11.5 or 2.6.7.3 or 2.10.0 or later
29 com.fasterxml.jackson.core_jackson-databind CVE-2019-16335 2.9.8 2.9.10
30 com.fasterxml.jackson.core_jackson-databind CVE-2020-8840 2.9.8 2.9.10.1 or 2.8.11.5 or 2.6.7.3 or 2.10.0 or later
31 com.fasterxml.jackson.core_jackson-databind CVE-2020-9546 2.9.8 2.9.10.4
32 com.fasterxml.jackson.core_jackson-databind CVE-2020-9547 2.9.8 2.9.10.4
33 com.fasterxml.jackson.core_jackson-databind CVE-2020-9548 2.9.8 2.9.10.4
34 com.fasterxml.jackson.core_jackson-databind CVE-2019-14540 2.9.8 2.9.10
35 com.fasterxml.jackson.core_jackson-databind CVE-2020-14060 2.9.8 2.9.10.5
36 com.fasterxml.jackson.core_jackson-databind CVE-2020-14061 2.9.8 2.9.10.5
37 com.fasterxml.jackson.core_jackson-databind CVE-2020-14062 2.9.8 2.9.10.5
38 com.fasterxml.jackson.core_jackson-databind CVE-2020-14195 2.9.8 2.9.10.5
39 com.fasterxml.jackson.core_jackson-databind CVE-2020-24616 2.9.8 2.9.10.6
40 com.fasterxml.jackson.core_jackson-databind CVE-2020-24750 2.9.8 2.9.10.6
41 com.fasterxml.jackson.core_jackson-databind CVE-2020-11620 2.9.8 2.9.10.4
42 com.fasterxml.jackson.core_jackson-databind CVE-2020-11619 2.9.8 2.9.10.4
43 com.fasterxml.jackson.core_jackson-databind CVE-2019-14439 2.9.8 2.9.9.2
44 com.fasterxml.jackson.core_jackson-databind CVE-2019-14892 2.9.8 2.9.10, 2.8.11.5, 2.6.7.3
45 com.fasterxml.jackson.core_jackson-databind CVE-2019-12086 2.9.8 2.9.9
46 com.fasterxml.jackson.core_jackson-databind CVE-2019-14379 2.9.8 2.9.9.2
47 com.fasterxml.jackson.core_jackson-databind CVE-2019-14893 2.9.8 2.10.0, 2.9.10
48 org.yaml_snakeyaml CVE-2017-18640 1.23 1.26
49 io.netty_netty-codec CVE-2019-20445 4.1.36.Final 4.1.44
50 io.netty_netty-codec CVE-2019-20444 4.1.36.Final 4.1.44
51 io.netty_netty-codec CVE-2020-11612 4.1.36.Final 4.1.46
52 io.netty_netty-codec CVE-2019-16869 4.1.36.Final 4.1.42.Final
53 log4j_log4j CVE-2019-17571 1.2.17 log4j 2.8.2
54 org.apache.zookeeper_zookeeper CVE-2018-8012 3.5.3 3.4.10
55 org.keycloak_keycloak-core CVE-2020-1714 6.0.1 11.0.0
56 org.keycloak_keycloak-core CVE-2020-1718 6.0.1 8.0.0
57 org.keycloak_keycloak-core CVE-2020-1731 6.0.1 8.0.2
58 org.keycloak_keycloak-core CVE-2019-10169 6.0.1 8.0.0
59 org.keycloak_keycloak-core CVE-2019-10170 6.0.1 8.0.0
60 org.keycloak_keycloak-core CVE-2019-10199 6.0.1 7.0.0
61 org.keycloak_keycloak-core CVE-2019-10201 6.0.1 7.0.0
62 org.keycloak_keycloak-core CVE-2019-14832 6.0.1 7.0.1
63 org.keycloak_keycloak-core CVE-2019-14837 6.0.1 8.0.0
64 org.keycloak_keycloak-core CVE-2020-10758 6.0.1 11.0.1
65 org.apache.commons_commons-compress CVE-2019-12402 1.18 1.19 or later
66 data mapper for jackson json processor_jackson-mapper-asl CVE-2019-10172 1.9.13  

Suggestions for an improvement

Upgrade the library dependency to suggested versions so that nothing else breaks.